While working on a couple of recent ExpressionEngine projects, we needed to process forms directly using PHP in the EE templates. We were seeing a mysterious error after submitting the form, “This form has expired. Please refresh and try again.” It turns out ExpressionEngine needs an extra hidden field to account for security settings within the system. Adding the hidden field allows the form to be processed without a problem.
<input name="XID" type="hidden" value="{XID_HASH}" />References:
Stack Overflow
Secure Mode blog post